Clement Lorteau wrote: ...<snip>...
If I were intimately familiar with a package and had looked at EVERYTHING, I would be comfortable uploading a package signed with an unverified key. But that is a lot of work (and I am basicallyI do live near Paris. I'll contact you in private. However, is the key signing needed for uploading the package? I had 2 versions of another package uploaded without having to have my key signed.Your GPG key is not signed by anyone. You should try to meet someone that can sign it, preferably a DD or someone whose key is signed by a DD. Look at this page: https://nm.debian.org/gpg.php If you live in Paris or near Paris, I can sign your key.
asking everyone to hold me accountable for any problems ;-).It is much more likely that I would not duplicate someone else's effort. When I decide to accept what someone else has done, then it become much more important to be able to identify that person. At the point where I might want to say I got code from someone else, the signed key becomes critical. I could upload a package that was sent with an unverified key, but that would speak volumes about my judgement. When I sign a package (or another key for that matter), a person can rely on my judgement as input. I do not promote worthless input. It should be easy to understand why a person would hesitate to accept an unverified key since it could make their judgement worthless.
Richard